Platform
wordpress
Component
my-auctions-allegro-free-edition
Opgelost in
3.6.34
CVE-2025-68567 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the My auctions allegro WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications or deletions of auction listings. The vulnerability impacts versions from 0.0.0 up to and including 3.6.33, and a patch is available in version 3.6.34.
A successful CSRF attack could allow an attacker to manipulate auction listings without the user's knowledge or consent. This could involve changing bid prices, marking items as sold, or even deleting listings entirely. The attacker would need to craft a malicious request and trick the user into visiting a page containing that request, typically through phishing or social engineering techniques. The blast radius is limited to the user's account and the actions they have permission to perform within the plugin. While not directly leading to system compromise, it can cause significant disruption and financial loss for users and auction participants.
CVE-2025-68567 was publicly disclosed on December 24, 2025. No public proof-of-concept (PoC) code is currently known. The EPSS score is pending evaluation. There are no indications of active exploitation campaigns targeting this vulnerability at this time. Refer to the vendor's advisory for further details.
WordPress site owners using the My auctions allegro plugin, particularly those running older versions (0.0.0–3.6.33). Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may not be promptly updated.
• wordpress / composer / npm:
grep -r 'my-auctions-allegro-free-edition' /var/www/html/
wp plugin list | grep 'My auctions allegro'• generic web:
curl -I https://example.com/my-auctions-allegro/ | grep -i 'csrf-token'disclosure
Exploit Status
EPSS
0.02% (6% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade the My auctions allegro plugin to version 3.6.34 or later. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include adding CSRF tokens to all sensitive forms and actions within the plugin, or using a Web Application Firewall (WAF) to filter out malicious requests. Review user permissions and restrict access to sensitive functions where possible. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a test environment and verifying that the request is blocked or fails.
Update naar versie 3.6.34, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-68567 is a Cross-Site Request Forgery (CSRF) vulnerability affecting My auctions allegro WordPress plugin versions 0.0.0–3.6.33, allowing attackers to perform unauthorized actions.
You are affected if you are using My auctions allegro plugin versions 0.0.0 through 3.6.33. Upgrade to 3.6.34 or later to mitigate the risk.
Upgrade the My auctions allegro plugin to version 3.6.34 or later. Consider temporary workarounds like CSRF tokens or a WAF if immediate upgrade is not possible.
There are currently no indications of active exploitation campaigns targeting CVE-2025-68567, but vigilance is still advised.
Refer to the vendor's advisory for the most up-to-date information and official recommendations regarding CVE-2025-68567.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.